Security Now 378: Microsoft: Secrecy, Privacy and DNT

News & Errata

Security Updates

There seems to be a pattern between big updates (odd months) and small updates (even months).

4 updates are rated critical

3 updates are patches for Internet Explorer

1 update fixes vulnerabilities in Windows Explorer Briefcase

5 vulnerabilities in the .NET Framework

3 vulnerabilities in the kernel's handling of TrueType

4 vulnerabilities in Microsoft Excel

1 Information disclosure patch in IIS related to FTP services

Security News

Skype Password Vulnerability: Posted in a Russian forum months ago, exploited an error in the design of the password recovery process. Fixed by Microsoft.

Symantec Antivirus 11 and 12.0 could be compromised by scanning a malformed CAB file. Fix by upgrading to version 12.1 or higher.

Steve is evaluating CloudBerry (cloud backup for Windows) on their crypto implementation. He will respond in the coming weeks.

Steve is keeping an eye on OneID, a new venture founded by Steve Kirsch, a "serial entrepreneur". Kirsch created the first optical mouse, was behind FrameMaker, InfoSeek, and other well known ventures.

Errata

From Joe Kelley, @sandpvrr from the Great State of Maine: Audible has all 6 titles in "The Lost Fleet" series in their 50% off sale.

John McAfee, known for the McAfee antivirus software, is on the run from police in Belize. Wired has published an audio interview with him.

Portable Dog Killer update: Steve has built one and published some photos. Steve will discuss it in future episodes. Discussion continues in the Google Group.

Spinrite Story

A success story with solid state drives from Tim Green, "Spinrite Heals Stupidity"

Topic

A discussion of privacy and security

Steve reviews a transcript of the keynote address by Brad Smith, General Council and Executive Vice President at Microsoft, given at the 34th International Conference of Data Protection and Privacy Commissioners.

The transcript discusses the differences between MySpace and Facebook 5 years ago, specifically Facebook's default setting to share information only within your friends and your network.

Steve discusses "The Tyranny of the Default," the idea that default settings will never be changed by most users. He references his cookie statistics page at GRC to compare Safari user's cookie settings versus the average.

In 1890, following the invention of the camera, Louis Brandeis writes an article about "the right to be let alone."

The transcript discusses Microsoft's decision to enable Do Not Track in their browser by default. According to research they conducted in four countries, most people believe online tracking goes too far. Most users want their privacy protected, and DNT enabled by default.

Moving DNT Forward

Do Not Track should be turned into a "final and effective DNT standard that is adopted by the W3C."

Browser vendors should have the ability to set DNT on or off by default.

Browser vendors should clearly communicate to users whether DNT is enabled and how to change it.

Advertisers and ad networks should have "an easy and effective way" to "inform consumers and obtain persistent consent" to bypass DNT.

Final Thoughts

The EU Commission sent a message to the W3C Tracking Protection Working Group. Steve highlights some of that message:

"It is not the Commission's understanding that user agents' factory or default setting necessarily determine or distort owner choice. The specification need not therefore seek to determine the factory setting and should not do so because to intervene on this point could distort the market. Crucially, and as a different matter, the standard should foresee that, at the install or first use of the browser, the owner should be informed of the importance of their DNT choice, told of the default setting, and prompted or allowed to change that setting."

Steve points out that this is essentially what IE10 represents.

FTC Chairman, John Leibowitz, is on record as saying, "If by the end of the year or early next year we have not seen a real Do Not Track option for consumers, I suspect the commission" - meaning the FTC - "will go back and think about whether we want to endorse legislation."

Notable Quotes

A Pew Research firm did some research in the United States:

56% of consumers decided not to complete an online purchase because of concerns about sharing personal information with the seller they were going to do business with.

30% of consumers uninstalled an app from their smart phones because of concerns about the way that app dealt with their personal information.

"That's the new model for privacy, not a model focused on secrecy but a model focused on what people are saying: they, in fact, want and need the ability to decide who they share information with and how that information will be used."